0

I'm trying to route some public and private IP addresses using Ubuntu Server 18.04 using iptables. Please note: I've changed the first bits of my IP Address for privacy, but kept it numerical for readability. I've also enabled all the proper prerequisites like setting /proc/sys/net/ipv4/ip_forward.

Here's my NIC configuration:

eno1 (private, internal network)
IP: 10.0.0.1/8

enp12s0f0 (public, outgoing interface)
IP: 50.20.14.214/0
GW: 50.20.14.212

enp12s0f1 (public, internal interface)
IP: 50.20.15.1/24

Basically, enp12s0f0 is the interface connecting me to the provider.

The switch connected to enp12s0f1 will supply public IP addresses to equipment that needs them. For example, 50.20.15.20 set up as a web server, or 50.20.15.25 as a PBX server.

Finally, eno1 connects to the internal network (10.0.0.0/8) as a gateway, forwarding traffic out enp12s0f1.

Here's the configuration I've been using in /etc/rc.local:

myip=50.20.15.1
myoip=50.20.14.214

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -F
iptables -X

iptables -t nat -A POSTROUTING -o enp12s0f1 -j SNAT --to-source $myoip
iptables -t nat -A POSTROUTING -o enp12s0f0 -j SNAT --to-source $myip

#IP Routing

iptables -A FORWARD -i enp12s0f1 -j ACCEPT

iptables -t nat -A POSTROUTING -o eno1 -j SNAT --to-source $myoip

And the output of ip route is:

default via 50.20.14.213 dev enp12s0f0 proto static
10.0.0.0/8 dev eno1 proto kernel scope link src 10.0.0.1
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1 #<- NOTE: Part of my OpenVPN config
50.20.14.212/30 dev enp12s0f0 proto kernel scope link src 50.20.14.214
50.20.15.0/24 dev enp12s0f1 proto kernel scope link src 50.20.15.1

I've tried various different modifications to the configuration, and in some instances the public network works and traffic moves to the appropriate host, but then the internal network wont work at all. On other occasions, the internal network works, but it will not let any traffic through to the public internal network. I feel like it only wants to forward traffic to one of the interfaces, but I know it can do both. It seems to be just outside of reach. Pulling my hair out here! Please help :)

Tim Powell
  • 1
  • 3
  • `IP: 50.20.14.214/0` looks like a typo and `50.20.14.214/30` won't work properly because in this case (on an address rather than only on a route) 50.20.14.212 will be seen as the network address (=> ethernet broadcast to it and no arp reply from it). If the gw were to be 50.20.14.213 then it would be fine. – A.B May 04 '21 at 22:16
  • Also I don't understand why you are NATing public IP addresses. Why have them if they won't be used? Actually too many things look weird to me. `iptables -A FORWARD -i enp12s0f1 -j ACCEPT` is either useless (default policy ACCEPT) or won't work (default policy DROP) because return traffic won't be allowed. – A.B May 04 '21 at 22:24
  • And please have a look at this: https://xyproblem.info/ – A.B May 04 '21 at 22:32
  • IPTables does not do routing, it does firewall duties and NAT. You need to setup the routing part of public IPs using standard routing tools and only use IPTables for NAT / firewalling. – Tero Kilkanen May 05 '21 at 06:19
  • @A.B you're correct, it was a typo. I don't want to use NAT, I converted this box from a single-IP configuration with NAT and want to have a single interface with NAT and a single interface without it. The 10.0.0.0/8 network needs to be NAT, as it will have a single IP address (preferable that of the router, 50.20.15.1). I'd love a working config, but even if someone could point me in the right direction for a website with information on what I need? There's lots on routing between single interfaces, but what about routing through multiple? Wouldn't I need multiple "default" routes? – Tim Powell May 05 '21 at 18:31
  • As for the xyproblem.info link, as much as I hate to admit it, I do see where you're coming from, and I do apologize for this ID10T-level question. I'm new to routing public IP addresses, and I had a (somehow) working config before I switched the interfaces to fiber, so I thought by simply changing to interface names around it would solve the problem. I've done very basic IP routing in the past, but I will admit I'm woefully uneducated in advanced IP routing. Working on it! But I will use this link because people do this to me all the time! Kind of reminds me of Let Me Google This For You. – Tim Powell May 05 '21 at 18:36
  • So what I assume I'd want to do is `ip route add 10.0.0.1 via 50.20.15.1 dev enp12s0f1`, except it doesn't work as expected. The interface `eno1` at `10.0.0.1/8` has no gateway setup, because it's meant to function as the gateway. I'm trying to get `10.0.0.0/8` to route so that its public IP address is `50.20.15.1`. – Tim Powell May 05 '21 at 19:17

0 Answers0